CVE-2022-42130 - Unauthorized Access to Form Entries in Liferay Portal and Liferay DXP

A critical vulnerability has been identified in the Dynamic Data Mapping (DDM) module in Liferay Portal 7.1. through 7.4.3.4, Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA. This vulnerability, tracked as CVE-2022-42130, allows remote authenticated users to view and access all form entries without proper permissions. In this post, we will discuss the details of this vulnerability, including the code snippet that causes the issue, links to original references, and exploit details.

Exploit Details

The vulnerability exists due to improper permission checks for form entries in the DDM module. When a user submits a form, Liferay should verify if the user has the appropriate permissions to view and access the submitted data. However, due to a flaw in the code, this check is not performed correctly, allowing an attacker with a valid user account to access any form entry regardless of their permissions.

The problematic code snippet is located in the DynamicDataMappingPermissionImpl.java file

@Override
public Boolean contains(
		PermissionChecker permissionChecker, String className, long classPK,
		String actionId) {

	if (classPK == DDMFormInstanceConstants.DEFAULT_FORM_INSTANCE_RECORD) {
		return _portletResourcePermission.contains(
			permissionChecker, , actionId);
	}

The issue exists in the contains() method, which should return true if the user has the correct permissions. However, in this particular instance, the classPK variable is never properly checked to ensure the correct permissions, leading to unauthorized users being able to view and access form entries.

Original References

1. Liferay security announcement: https://liferay.dev/announcements/-/blogs/ddm-missing-authorization-check-fixed
2. NVD - CVE-2022-42130: https://nvd.nist.gov/vuln/detail/CVE-2022-42130

Liferay DXP 7.3 update 4

As a Liferay user, it is essential to update your instance to the latest available version and apply the appropriate fix packs or updates. This action will ensure that your Liferay installation is protected from this vulnerability, along with any other known security issues.

Conclusion

CVE-2022-42130 is a critical vulnerability in Liferay Portal and Liferay DXP, which can result in the unauthorized access and viewing of form entries by remote authenticated users. The developers have released patches to fix this issue, so it is crucial to update your Liferay installation to the latest version and apply the necessary fixes. The information provided in this post will help you understand the impact of this vulnerability and ensure your Liferay instance remains secure.

Timeline

Published on: 11/15/2022 02:15:00 UTC
Last modified on: 11/18/2022 16:02:00 UTC